US20160232351A1 - Method and device for identifying computer virus variants - Google Patents
Method and device for identifying computer virus variants Download PDFInfo
- Publication number
- US20160232351A1 US20160232351A1 US15/016,048 US201615016048A US2016232351A1 US 20160232351 A1 US20160232351 A1 US 20160232351A1 US 201615016048 A US201615016048 A US 201615016048A US 2016232351 A1 US2016232351 A1 US 2016232351A1
- Authority
- US
- United States
- Prior art keywords
- virus
- api call
- api
- matching
- call sequence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 304
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000004422 calculation algorithm Methods 0.000 claims description 16
- 238000005516 engineering process Methods 0.000 abstract description 6
- 239000008186 active pharmaceutical agent Substances 0.000 description 14
- 238000010586 diagram Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 10
- 238000001514 detection method Methods 0.000 description 8
- 230000006399 behavior Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 6
- 102100037024 E3 ubiquitin-protein ligase XIAP Human genes 0.000 description 5
- 101000804865 Homo sapiens E3 ubiquitin-protein ligase XIAP Proteins 0.000 description 5
- 238000004590 computer program Methods 0.000 description 5
- 238000007781 pre-processing Methods 0.000 description 5
- SPBWHPXCWJLQRU-FITJORAGSA-N 4-amino-8-[(2r,3r,4s,5r)-3,4-dihydroxy-5-(hydroxymethyl)oxolan-2-yl]-5-oxopyrido[2,3-d]pyrimidine-6-carboxamide Chemical compound C12=NC=NC(N)=C2C(=O)C(C(=O)N)=CN1[C@@H]1O[C@H](CO)[C@@H](O)[C@H]1O SPBWHPXCWJLQRU-FITJORAGSA-N 0.000 description 4
- 102100021677 Baculoviral IAP repeat-containing protein 2 Human genes 0.000 description 4
- 102100021662 Baculoviral IAP repeat-containing protein 3 Human genes 0.000 description 4
- 101000896157 Homo sapiens Baculoviral IAP repeat-containing protein 2 Proteins 0.000 description 4
- 101000896224 Homo sapiens Baculoviral IAP repeat-containing protein 3 Proteins 0.000 description 4
- 230000004913 activation Effects 0.000 description 4
- 230000000153 supplemental effect Effects 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 241000282693 Cercopithecidae Species 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 3
- 102100026862 CD5 antigen-like Human genes 0.000 description 2
- 101000911996 Homo sapiens CD5 antigen-like Proteins 0.000 description 2
- 230000007423 decrease Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 102100039986 Apoptosis inhibitor 5 Human genes 0.000 description 1
- 102100021663 Baculoviral IAP repeat-containing protein 5 Human genes 0.000 description 1
- 101000959871 Homo sapiens Apoptosis inhibitor 5 Proteins 0.000 description 1
- 101000896234 Homo sapiens Baculoviral IAP repeat-containing protein 5 Proteins 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000010460 detection of virus Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/564—Static detection by virus signature recognition
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Definitions
- Embodiments relate to the field of Internet technology and, more particularly, to identifying virus variants.
- the Android platform has quickly grown to become the smart device operating system with the largest market share because it is free and open source.
- safety issues including, but not limited to, malwares, worms, Trojans, and botnets are emerging.
- Developments have been made in combating antivirus technology by those who develop and transmit viruses, including but not limited to, modifying condition codes, using Java reflection call mechanisms, character string decoding technology, as well as fine tuning-function can structure. This creates a large number of virus variants, thereby leading to inefficiency in the detection and removal of the viruses.
- the antivirus software under the Android platform usually uses the technique of identifying condition codes to detect and remove viruses.
- those who develop and transmit viruses keep developing techniques to make viruses non-detectable. For example, they use mechanisms such as ProGuard, which mixes feature information of virus programs such as virus class names, function names, and constant strings, to mix the information, carried by viruses and make the current antivirus software incapable of detecting and removing viruses and their variants.
- Embodiments according to the disclosure provide the identifying of computer virus variants to improve the accuracy of detecting and removing viruses.
- the present disclosure overcomes the deficiencies explained above by providing techniques for identifying virus variants by a dynamic detecting mechanism, which improves the accuracy of detecting virus variants, as well as enlarges the applicable range of the techniques for detecting and removing viruses. Regardless of whether or not the identity of the virus sample to be tested has been masked by technical means, virus variants may be accurately detected.
- the dynamic detection mechanism vastly increases the application scope of virus identification and removal technology and greatly improves the virus recall ratio.
- An embodiment of the present disclosure includes a process to identify virus variants, where the process runs or operates a virus sample to be tested and records an application program interface (API) call sequence produced during the running of the virus sample. Also, a plurality of characteristic API call sequences that respectively correspond to a plurality of virus families are obtained, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family. The API call sequence produced by running the virus sample to be tested is matched with the plurality of characteristic API call sequences to obtain matching results. Based on the matching results, it is determined whether the virus sample is a type of virus variant by the extent of a match between the API call sequence of the virus sample and at least one of the plurality of characteristic API call sequences that respectively correspond to the plurality of virus families.
- API application program interface
- An embodiment of the present disclosure includes an apparatus for identifying virus variants, where the apparatus includes an execution unit, a matching unit, and a recognition unit.
- the execution unit runs or operates the virus sample to be tested and records an API call sequence produced during the running of the virus sample.
- the matching unit obtains a plurality of characteristic API call sequences that respectively correspond to a plurality of virus families, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family.
- the matching unit matches the API call sequence of the virus sample with the plurality of characteristic API call sequences to obtain a matching result.
- the recognition unit determines whether the virus sample is a virus variant by the extent of a match between the API call sequence of the virus sample and at least one of the plurality of characteristic API call sequences that respectively correspond to the plurality of virus families.
- the present disclosure takes the plurality of characteristic API call sequences that respectively correspond to the plurality of virus families as references to monitor the API calls during the running of the virus sample to be tested.
- the virus sample to be tested may be or possibly be considered to be a virus variant.
- This dynamic detecting mechanism provides accurate detection of virus variants and expands the applicable range of identification and detection techniques that improve the recall ratio of viruses and decrease the rate of virus manslaughters.
- the detectable viruses that are referred to in the present disclosure include, but are not limited to, malwares, worms, Trojans, or botnets. Also, the applicable scope of the present disclosure includes, but is not limited to, virus variant techniques aimed at modifying a condition code of a virus.
- FIG. 1 illustrates a flowchart of a method of identifying virus variants in accordance with an embodiment of the present disclosure.
- FIG. 2 illustrates a block diagram of an apparatus for identifying virus variants in accordance with an embodiment of the present disclosure.
- FIG. 3 illustrates a computer system in accordance with one embodiment of the present disclosure.
- the present disclosure provides a method that identifies virus variants using simulation techniques. This method expands the applicable range for detecting and removing viruses, improves the detection rate, and decreases the rate of virus manslaughters.
- a feature library of characteristic API call sequences for a plurality of virus families is established to provide information of characteristic API call sequences for identifying virus variants in subsequent stages, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family.
- an Android simulation environment is called to pile and mark key APIs in a system.
- APIs are a set of defined functions designed to provide access to a set of routines based on certain software or hardware, with no need to access the source code for an application program. APIs also assist in understanding the details of how components interact in a program. Piling is performed to record key information of every key API at its spot, such as the calling party of an API, the API name, the API class name, etc.
- an Android simulator is created to pile and mark the APIs called by the system in the framework or the native layer of the Android system.
- the Android simulator can record and call data such as the user identification of the program.
- a virus family is composed of a series of viruses that share the same source. Therefore, based on a virus sample of a virus family, the same characteristic API call sequence that viruses in the same virus family call can be identified and extracted to generate a feature library of characteristic API call sequences that respectively correspond to the plurality of virus families.
- the API call sequence a virus family shares will be referred to as the characteristic API call sequence of that virus family.
- the framework logic of the Android simulator may be modified to avoid the wait for the occurrence of a physical triggering event that activates the viruses in the virus family. Instead, the system periodically sends different kinds of simulated self-activated events that are used to trigger the running of the virus sample of the virus family. For example, if the physical triggering event that the virus family “A” depends on is “system activation,” then during the running process of the system, instead of restarting the system during its operation, the simulated self-activation will be programmed periodically to activate “system activation” to indicate to the virus sample of the virus family “A” that its triggering condition has been met and its operation may be initiated.
- the user's operating environment such as a mobile phone operating environment and personal computer operating environment
- the user's operating environment may be simulated using “Monkey” and “UI Automator” modules.
- “Monkey” is a tool to test an Android application package on the Android system automatically.
- “UI Automator” is a framework that is used on the Android system to conduct automated tests. Users may use the logic of the framework “UI Automator” to write a test case of a certain Android application package.
- virus variant a1 has called API1, API2, API3, and API4 during operation;
- virus variant a2 has called API1, API3, API5, and API6;
- the virus variant a3 has called API2, API3, API6, and API7.
- the call rates of these three APIs exceed a preset threshold, if the preset threshold is assumed to be 50%. Then, the final choice of the characteristic API call sequence of virus family A may be determined as API1, API2, and API3.
- the call order of the APIs may or may riot be recorded depending on the application environment.
- a feature library of characteristic API call sequences may be established and used to provide characteristic API call sequences any time in the subsequent stages.
- a key API call sequence for each one of the virus families may be selected from the characteristic API call sequences that respectively correspond to the plurality of virus families.
- the key API call sequences may be stored in the feature library as well.
- the key API call sequence of each one of the virus families includes the selected key APIs that have been piled and marked from the corresponding characteristic API call sequences. Those key APIs correspond to key operations in the system, such as self-activation, connecting to Internet, obtaining private data, sending text messages, etc.
- FIG. 1 illustrates a method 1000 of identifying virus variants in accordance with an embodiment of the present disclosure.
- Step 100 a virus sample to be tested starts to run.
- Step 110 an API call sequence produced by the virus sample during the running of the virus sample is recorded.
- a single virus sample to be tested there may be a single virus sample to be tested or a group of virus samples to be tested. Since the detection process is similar for every virus sample to be tested, the present disclosure will discuss the case of a single virus sample to be tested, as an example.
- an API call sequence is generated in accordance with the API type and call order called during the operation of the virus sample to be tested.
- the framework logic of the Android simulator may be modified in order to avoid the wait time for the occurrence of a certain physical triggering event that activates the virus sample during the operation of the virus sample. Instead, the system sends different kinds of simulated self-activated events periodically to automatically trigger the activation of viruses in the virus families to be tested.
- the physical triggering event that activates the operating of viruses in the virus families to be tested relies on is “a user sends a text massage,” during the operating of the system, instead of sending the text messages regularly, the system periodically simulates a self-activating event “sending text message.” This indicates to the virus sample to be tested that the requirements to trigger its activation have been met and the operating of the virus sample may be initiated.
- the user operating environment such as a mobile phone environment and a personal computer environment, may be simulated by using “Monkey” and “UI Automator” modules.
- a characteristic API call sequence is obtained for each one of the virus families.
- the feature library includes a plurality of characteristic API call sequences that respectively correspond to a plurality of virus families, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family.
- the API call sequence produced by the virus sample to be tested during its operation is matched with the characteristic API call sequences of the virus families.
- the matching result is obtained.
- the generated characteristic API call sequences that respectively correspond to each one of the virus families may be obtained from the feature library of the characteristic API call sequence that has been generated in the preprocessing stage. Then, the API call sequence of the virus sample may be matched with each one of the characteristic API call sequences of the virus families.
- a string matching algorithm may be adopted.
- the string matching algorithm may be used to determine whether there is at least one API timing sequence in the API call sequence path of the virus sample that matches to an extent at least one of the characteristic API call sequences of the virus families.
- the virus sample to be tested may be or possibly be considered to be a virus variant of the virus families.
- String matching algorithm is an exemplary matching algorithm used in the present disclosure. For example, assuming a call path of a function has a series of virus features “P:p1p2p3p4” and assuming a call path of a function “T:t1t2t3t4t5t6t7t8t9” is obtained after the operation of a virus sample. In order to compare these two call paths using the string matching algorithm, it may be determined whether there is a “p1p2p3p4” call path in the call path “t1t2t3t4t5t6t7t8t9.” The simplest way to perform the matching is first to compare “t1” and “p1” to determine if “t1” and “p1” are equivalent.
- Examples of classic algorithms in the family of string matching algorithms include the Knuth-Morris-Pratt algorithm and the Boyer-Moore algorithm.
- the operations that can be conducted include, but are not limited to the following operations: determining a first API type and APT call order called when operating the characteristic API call sequence “1” of the virus family and determining a second API type and API call order called when operating the API call sequence of the virus sample to be tested.
- the matching rate between the first and second API types and API call orders may be calculated using an algorithm including, but not limited to, a string matching algorithm. If the matching rate reaches a first set limit (e.g., 80%) for at least one of the characteristic APT call sequences of virus families, it may be determined that the matching is complete and successful.
- a first set limit e.g., 80%
- a key API call sequence “1” that corresponds to the characteristic API call sequence “1” of the virus family may be selected from the feature library of characteristic API call sequences configured in the preprocessing stage.
- the key API call sequence “1” includes the key APIs that are appointed and selected from the characteristic API call sequence, which are also interpreted as the piled and marked APIs in the preprocessing stage.
- the key API is appointed in advance and is able to influence the safe operation of the system.
- the next step is to determine a third API type and API call order when operating the key API call sequence “1” and to calculate the matching rate between the second and third API types and APT call orders. If the matching rate between the second and third API types and API call orders reaches a second set limit, it may be determined that the matching is complete and successful.
- the API call sequence of the virus sample to be tested may also be matched with the key API call sequences or one or more of the characteristic API call sequences of the virus families. Alternatively, the matching result may be presented to a client or a user that sent the virus sample. Based on a feedback from the client or the user, it may be determined whether the matching is complete and successful.
- a supplemental matching may be performed.
- matching between the API call sequence of the virus sample and the key API call sequences of each one of the virus families is accomplished.
- This supplemental matching may also be referred as approximate string matching or fuzzy string searching.
- the matching rate between the API call sequence of the virus sample and the characteristic API call sequence of one of the virus families reaches a limit
- a more accurate result may be obtained by returning the virus sample to the sender (e.g., administrator) with a notice that it is possible that the virus sample is a new type of virus variant and that a confirmation is requested.
- the sender e.g., administrator
- whether or not the virus sample is a new type of virus variant may be recorded in accordance with the instructions from the administrator.
- Step 150 it is determined whether the matching between the API call sequence of the virus sample and the characteristic API call sequences of the virus families is complete and successful.
- Step 160 it is determined that the matching is complete and successful.
- the virus sample to be tested may be determined to be a virus variant depending on the extent of a match between the API call sequence of the virus sample and at least one of the plurality of characteristic API call sequences of the virus families.
- the API call sequence of this virus sample may be recorded and included in the feature library of characteristic API call sequences. Also, a key API call sequence for the virus sample (or new virus variant) is also selected from the API call sequence of this virus sample (or new virus variant) to be recorded in the feature library of characteristic API call sequences. In this way, the feature library of characteristic API sequences keeps updating according to the matching results of the continuous matching processes to ensure that its data is up to date and effective.
- FIG. 2 illustrates an apparatus 2000 for identifying virus variants in accordance with an embodiment.
- the apparatus 2000 includes an execution unit 20 , a matching unit 21 coupled to the execution unit 20 , and a recognition unit 22 coupled to the matching unit 21 .
- the execution unit 20 , the matching unit 21 , and the recognition unit 22 are implemented in a computer (e.g., 3000 FIG. 3 ) including a memory that is accessible by a processor and/or a GPU (graphics processor unit).
- the execution unit 20 , the matching unit 21 , and the recognition unit 22 are computer-executable instructions stored in the memory of a computer (e.g., 3000 FIG. 3 ), where the computer-executable instructions are executed by a processor and/or a GPU.
- the execution unit 20 runs a virus sample to be tested and records an API call sequence produced during the running of the virus sample. Further, the matching unit 21 obtains a characteristic API call sequence of each one of the virus families and matches the API call sequence produced by the virus sample during running with each one of the characteristic API call sequences of each one of the virus families to obtain a matching result. The plurality of characteristic API call sequences that respectively correspond to the plurality of virus families are obtained, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family. The recognition unit 22 determines, based on the analysis of the matching result, whether the virus sample to be tested is virus variant by extent of a match between the API call sequence of the virus sample to be tested and any one of the characteristic API call sequences of any one of the virus families.
- the execution unit 20 may further run a set of virus samples of the virus families and record API types and API call orders called during the running of the set of virus samples to generate the characteristic API call sequences for each one of the virus families in order to establish a feature library of characteristic API call sequences.
- the execution unit 20 may also simulate a physical triggering event that activates the running of a virus according to a set interval during the process of fuming the virus sample to be tested and the running of the set of virus samples.
- the matching unit 21 may further determine a first API type and API call order called when running any of the characteristic API call sequences of any of the virus families. Also, the matching unit 21 may further determine a second API type and API call order called for the sample virus based on the API call sequence. Then, the matching rate between the first and the second API types and API call orders may be calculated by the matching unit 21 .
- the recognition unit 22 may further determine whether the API call sequence of the virus sample to be tested matches any of the characteristic API call sequences of any of the virus families by the matching rate meeting a first set limit.
- the matching unit 21 may further obtain a key API call sequence of any of the virus families and determine a third API type and API call order called based on the key API call sequence during running of the virus family when a notice is received from the recognition unit 22 carrying a message indicating that the matching rate of the first and second API types and API call orders does not meet the first set limit.
- the key API call sequence includes the appointed key API selected from the characteristic API call sequences of any of the virus families.
- the key API is preset and is able to influence the safe operation of the system. Then, a second matching rate between the second and third API types and API call orders may be calculated by the matching unit 21 .
- the recognition unit 22 may further determine whether the API call sequence of the virus sample matches the key API call sequence by determining whether the second matching rate meets a second set limit. The matching is between the second and the third API types and API call orders. Also, the recognition unit 22 may present the matching result to a client or a user that sent the virus sample and may determine whether the API call sequence of the virus sample matches the key API call sequence based on a feedback from the client or the user (or the sender). The calculation may be conducted using a string matching algorithm in an embodiment.
- FIG. 3 shows a computer system 3000 in accordance with one embodiment of the present disclosure.
- Computer system 3000 depicts the components of a basic computer system in accordance with embodiments of the present disclosure providing the execution platform for certain hardware-based and software-based functionality.
- computer system 3000 comprises at least one CPU 101 , a system memory 115 , and at least one graphics processor unit (GPI)) 180 .
- the CPU 101 can be coupled to the system memory 115 via a bridge component/memory controller (not shown) or can be directly coupled to the system memory 115 via a memory controller (not shown) internal to the CPU 101 .
- the GPU 180 is coupled to a display 112 .
- One or more additional GPUs can optionally be coupled to system 3000 to further increase its computational power.
- System 3000 can be implemented as, for example, a desktop computer system or server computer system, having a powerful general-purpose CPU 101 coupled to a dedicated graphics rendering GPU 180 . In such an embodiment, components can be included that add peripheral buses, specialized graphics memory, IO devices, and the like. Similarly, system 3000 can be implemented as a handheld device (e.g., cellphone, etc.) or a set-top video game console device.
- the GPU 180 can be implemented as a discrete component, a discrete graphics card designed to couple to the computer system 3000 via a connector (e.g., AGP slot, PCI-Express slot, etc.), a discrete integrated circuit die (e.g., mounted directly on a motherboard), or as an integrated GPU included within the integrated circuit die of a computer system chipset component (not shown). Additionally, a local graphics memory 114 can be included for the GPU 180 for high bandwidth graphics data storage.
- the call states of the characteristic API call sequences of the virus families are set as references to monitor the call states of the API call sequences produced during running of virus sample to be tested. Regardless of whether the identification of the virus sample is covered by certain techniques or not, as long as the call state of the API call sequence produced during running of the virus sample matches to an extent the call state of any of the characteristic API call sequences of any of the virus families, the virus sample may be or possibly be considered to be a virus variant in the virus family corresponding with that characteristic API call sequence to which it matches to an extent. Thus, the detection of a virus variant is more accurate. By using a dynamic detecting mechanism, the applicable range of the identification and detection techniques is expanded and the recall ratio is improved.
- the detectable viruses include, but are not limited to, malwares, worms, Trojans, or botnets.
- the applicable scope of the present disclosure includes, but is not limited to, virus variants techniques such as modifying condition codes, etc.
- the present disclosure may be provided in the forms of methods, systems, or computer program products. Therefore, the present disclosure may be embodied as an entirely hardware embodiment, entirely software embodiment, or a combination of a hardware and software embodiment. Moreover, the present disclosure may be used in the forms of computer programmable products that adopt one or multiple computer usable storage mediums including, but no limited to, magnetic storage disks, CD-ROMs, or optical storage containing computer usable program codes.
- each one of the steps and/or blocks in the flow diagrams and/or block diagrams as well as the combinations between each one of the steps/blocks in the flow and/or block diagrams may be embodied by computer program instructions.
- the computer program instructions may be provided for by general purpose computers, dedicated computers, embedded matching units, or other matching units of programmable data processing devices to generate a device that embodies, by computers or matching units of other programmable data processing devices executing instructions, appointed functions in one or multiple steps in the flow diagrams and/or one or multiple blocks in the block diagrams.
- These computer instructions may also be stored in computer readable storage mediums that guide computers or other matching units of programmable data processing devices and work in a specified manner to have the instructions that are stored in the computer readable storage mediums produce results.
- the devices implement functions it one or multiple steps in the flow diagrams and/or one or multiple blocks in the block diagrams.
- These computer program instructions may also be loaded to computers or other programmable data processing devices to produce computer embodied processing by executing a series of operations on computers or other programmable data processing devices to provide, on computers or other programmable data processing devices, steps to embody appointed functions that can be embodied in one or multiple steps in the flow diagrams and/or one or multiple blocks in the block diagrams.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Stored Programmes (AREA)
- Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
- Telephonic Communication Services (AREA)
Abstract
Description
- This application claims priority to and the benefit of Chinese Patent Application No. 201510065074.8, filed on Feb. 6, 2015, which is incorporated herein by reference in its entirety.
- Embodiments relate to the field of Internet technology and, more particularly, to identifying virus variants.
- Owing to the popularization of Internet technology and smart devices, the Android platform has quickly grown to become the smart device operating system with the largest market share because it is free and open source. However, safety issues including, but not limited to, malwares, worms, Trojans, and botnets are emerging. Developments have been made in combating antivirus technology by those who develop and transmit viruses, including but not limited to, modifying condition codes, using Java reflection call mechanisms, character string decoding technology, as well as fine tuning-function can structure. This creates a large number of virus variants, thereby leading to inefficiency in the detection and removal of the viruses.
- The antivirus software under the Android platform usually uses the technique of identifying condition codes to detect and remove viruses. However, those who develop and transmit viruses keep developing techniques to make viruses non-detectable. For example, they use mechanisms such as ProGuard, which mixes feature information of virus programs such as virus class names, function names, and constant strings, to mix the information, carried by viruses and make the current antivirus software incapable of detecting and removing viruses and their variants.
- Embodiments according to the disclosure provide the identifying of computer virus variants to improve the accuracy of detecting and removing viruses. The present disclosure overcomes the deficiencies explained above by providing techniques for identifying virus variants by a dynamic detecting mechanism, which improves the accuracy of detecting virus variants, as well as enlarges the applicable range of the techniques for detecting and removing viruses. Regardless of whether or not the identity of the virus sample to be tested has been masked by technical means, virus variants may be accurately detected. The dynamic detection mechanism vastly increases the application scope of virus identification and removal technology and greatly improves the virus recall ratio.
- An embodiment of the present disclosure includes a process to identify virus variants, where the process runs or operates a virus sample to be tested and records an application program interface (API) call sequence produced during the running of the virus sample. Also, a plurality of characteristic API call sequences that respectively correspond to a plurality of virus families are obtained, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family. The API call sequence produced by running the virus sample to be tested is matched with the plurality of characteristic API call sequences to obtain matching results. Based on the matching results, it is determined whether the virus sample is a type of virus variant by the extent of a match between the API call sequence of the virus sample and at least one of the plurality of characteristic API call sequences that respectively correspond to the plurality of virus families.
- An embodiment of the present disclosure includes an apparatus for identifying virus variants, where the apparatus includes an execution unit, a matching unit, and a recognition unit. The execution unit runs or operates the virus sample to be tested and records an API call sequence produced during the running of the virus sample. The matching unit obtains a plurality of characteristic API call sequences that respectively correspond to a plurality of virus families, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family. Also, the matching unit matches the API call sequence of the virus sample with the plurality of characteristic API call sequences to obtain a matching result. The recognition unit determines whether the virus sample is a virus variant by the extent of a match between the API call sequence of the virus sample and at least one of the plurality of characteristic API call sequences that respectively correspond to the plurality of virus families.
- The present disclosure takes the plurality of characteristic API call sequences that respectively correspond to the plurality of virus families as references to monitor the API calls during the running of the virus sample to be tested. As long as there is a match to some extent between the API call sequence of the virus sample and at least one of the plurality of characteristic API call sequences that respectively correspond to the plurality of virus families, regardless of whether or not the identity of the virus sample to be tested is concealed, the virus sample to be tested may be or possibly be considered to be a virus variant. This dynamic detecting mechanism provides accurate detection of virus variants and expands the applicable range of identification and detection techniques that improve the recall ratio of viruses and decrease the rate of virus manslaughters. The detectable viruses that are referred to in the present disclosure include, but are not limited to, malwares, worms, Trojans, or botnets. Also, the applicable scope of the present disclosure includes, but is not limited to, virus variant techniques aimed at modifying a condition code of a virus.
- Embodiments according to the present disclosure will be better understood from a reading of the following detailed description, taken in conjunction with the accompanying figures, in which like reference characters designate like elements.
-
FIG. 1 illustrates a flowchart of a method of identifying virus variants in accordance with an embodiment of the present disclosure. -
FIG. 2 illustrates a block diagram of an apparatus for identifying virus variants in accordance with an embodiment of the present disclosure. -
FIG. 3 illustrates a computer system in accordance with one embodiment of the present disclosure. - Reference will now be made in detail to the embodiments of the present disclosure. While the disclosure will be described in conjunction with these embodiments, it will be understood that they are not intended to limit the disclosure to these embodiments. On the contrary, the disclosure is intended to cover alternatives, modifications, and equivalents which may be included within the spirit and scope of the appended claims.
- Furthermore, in the following detailed description of the present disclosure, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure. However, it will be recognized by one of ordinary skill in the art that the present disclosure may be practiced without these specific details. In other instances, well-known methods, procedures, components, and circuits have not been described in detail so as not to unnecessarily obscure aspects of the present disclosure.
- In order to improve the accuracy for detecting and removing viruses, the present disclosure provides a method that identifies virus variants using simulation techniques. This method expands the applicable range for detecting and removing viruses, improves the detection rate, and decreases the rate of virus manslaughters.
- In an embodiment, at a preprocessing stage, a feature library of characteristic API call sequences for a plurality of virus families is established to provide information of characteristic API call sequences for identifying virus variants in subsequent stages, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family. First, at the preprocessing stage, an Android simulation environment is called to pile and mark key APIs in a system. APIs are a set of defined functions designed to provide access to a set of routines based on certain software or hardware, with no need to access the source code for an application program. APIs also assist in understanding the details of how components interact in a program. Piling is performed to record key information of every key API at its spot, such as the calling party of an API, the API name, the API class name, etc. Since a virus or a virus variant usually calls a few key APIs during operation to implement the virus vandalism, the APIs that possess important impact may be marked as key APIs based on past development experience so that they can be used when identifying viruses and virus variants. Specifically, an Android simulator is created to pile and mark the APIs called by the system in the framework or the native layer of the Android system. The Android simulator can record and call data such as the user identification of the program.
- There is a feature library of characteristic API call sequences established by recording API types and API call orders called during the running of virus samples of the plurality of virus families to generate a characteristic API call sequence for each one of the virus families. It is appreciated that, in applications, the malicious behaviors of a certain virus family during operation are similar, which means that the behaviors of calling APIs are similar for the same virus family. A virus family is composed of a series of viruses that share the same source. Therefore, based on a virus sample of a virus family, the same characteristic API call sequence that viruses in the same virus family call can be identified and extracted to generate a feature library of characteristic API call sequences that respectively correspond to the plurality of virus families. In the present disclosure, the API call sequence a virus family shares will be referred to as the characteristic API call sequence of that virus family.
- When running a virus sample of a virus family, the framework logic of the Android simulator may be modified to avoid the wait for the occurrence of a physical triggering event that activates the viruses in the virus family. Instead, the system periodically sends different kinds of simulated self-activated events that are used to trigger the running of the virus sample of the virus family. For example, if the physical triggering event that the virus family “A” depends on is “system activation,” then during the running process of the system, instead of restarting the system during its operation, the simulated self-activation will be programmed periodically to activate “system activation” to indicate to the virus sample of the virus family “A” that its triggering condition has been met and its operation may be initiated.
- Furthermore, when a known virus sample of a virus family is operating on the Android simulator, the user's operating environment, such as a mobile phone operating environment and personal computer operating environment, may be simulated using “Monkey” and “UI Automator” modules. “Monkey” is a tool to test an Android application package on the Android system automatically. “UI Automator” is a framework that is used on the Android system to conduct automated tests. Users may use the logic of the framework “UI Automator” to write a test case of a certain Android application package. For example, assuming that there are virus variants a1, a2, and a3 in virus family A, the virus variant a1 has called API1, API2, API3, and API4 during operation; the virus variant a2 has called API1, API3, API5, and API6; and the virus variant a3 has called API2, API3, API6, and API7.
- In the example above, all three virus variants have called API3 and two virus variants have called API1 and API2. Therefore, the call rates of these three APIs exceed a preset threshold, if the preset threshold is assumed to be 50%. Then, the final choice of the characteristic API call sequence of virus family A may be determined as API1, API2, and API3. When recording the characteristic API call sequences for virus families, the call order of the APIs may or may riot be recorded depending on the application environment.
- Based on the characteristic API call sequence generated for each virus family, a feature library of characteristic API call sequences may be established and used to provide characteristic API call sequences any time in the subsequent stages. After the establishment of a characteristic API call sequence for each one of the virus families, a key API call sequence for each one of the virus families may be selected from the characteristic API call sequences that respectively correspond to the plurality of virus families. The key API call sequences may be stored in the feature library as well. The key API call sequence of each one of the virus families includes the selected key APIs that have been piled and marked from the corresponding characteristic API call sequences. Those key APIs correspond to key operations in the system, such as self-activation, connecting to Internet, obtaining private data, sending text messages, etc.
-
FIG. 1 illustrates amethod 1000 of identifying virus variants in accordance with an embodiment of the present disclosure. InStep 100, a virus sample to be tested starts to run. InStep 110, an API call sequence produced by the virus sample during the running of the virus sample is recorded. - In applications, there may be a single virus sample to be tested or a group of virus samples to be tested. Since the detection process is similar for every virus sample to be tested, the present disclosure will discuss the case of a single virus sample to be tested, as an example.
- Specifically, when running or operating the virus sample to be tested, an API call sequence is generated in accordance with the API type and call order called during the operation of the virus sample to be tested. When running the virus sample to be tested, the framework logic of the Android simulator may be modified in order to avoid the wait time for the occurrence of a certain physical triggering event that activates the virus sample during the operation of the virus sample. Instead, the system sends different kinds of simulated self-activated events periodically to automatically trigger the activation of viruses in the virus families to be tested. For example, if the physical triggering event that activates the operating of viruses in the virus families to be tested relies on is “a user sends a text massage,” during the operating of the system, instead of sending the text messages regularly, the system periodically simulates a self-activating event “sending text message.” This indicates to the virus sample to be tested that the requirements to trigger its activation have been met and the operating of the virus sample may be initiated. Furthermore, when the virus sample to be tested is running on the Android simulator, the user operating environment, such as a mobile phone environment and a personal computer environment, may be simulated by using “Monkey” and “UI Automator” modules.
- In
Step 120, a characteristic API call sequence is obtained for each one of the virus families. As explained above, the feature library includes a plurality of characteristic API call sequences that respectively correspond to a plurality of virus families, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family. InStep 130, in a first matching procedure, the API call sequence produced by the virus sample to be tested during its operation is matched with the characteristic API call sequences of the virus families. InStep 140, the matching result is obtained. Specifically, the generated characteristic API call sequences that respectively correspond to each one of the virus families may be obtained from the feature library of the characteristic API call sequence that has been generated in the preprocessing stage. Then, the API call sequence of the virus sample may be matched with each one of the characteristic API call sequences of the virus families. - Since the API call sequence of the virus sample to be tested may require large amount of resources to accomplish the testing in some applications, in order to improve the efficiency of matching the API call sequence of the virus sample to be tested with the characteristic API call sequences of the virus families, a string matching algorithm may be adopted. The string matching algorithm may be used to determine whether there is at least one API timing sequence in the API call sequence path of the virus sample that matches to an extent at least one of the characteristic API call sequences of the virus families. Depending on the extent of the match, the virus sample to be tested may be or possibly be considered to be a virus variant of the virus families.
- String matching algorithm is an exemplary matching algorithm used in the present disclosure. For example, assuming a call path of a function has a series of virus features “P:p1p2p3p4” and assuming a call path of a function “T:t1t2t3t4t5t6t7t8t9” is obtained after the operation of a virus sample. In order to compare these two call paths using the string matching algorithm, it may be determined whether there is a “p1p2p3p4” call path in the call path “t1t2t3t4t5t6t7t8t9.” The simplest way to perform the matching is first to compare “t1” and “p1” to determine if “t1” and “p1” are equivalent. If they are equivalent, then compare “t2” and “p2” to determine if “t2” and “p2” are equivalent. If “t1” and “p1” are not equivalent, compare “t2” with “p1” to determine if “t2” with “p1” are equivalent. Using the same analogy, the comparisons between each one of the components in the call paths may be conducted using the string matching algorithm until rest of the components in the call paths are compared.
- Examples of classic algorithms in the family of string matching algorithms include the Knuth-Morris-Pratt algorithm and the Boyer-Moore algorithm.
- Taking call sequence “1” in a characteristic API call sequence of a virus family as an example, in the process of matching, the operations that can be conducted include, but are not limited to the following operations: determining a first API type and APT call order called when operating the characteristic API call sequence “1” of the virus family and determining a second API type and API call order called when operating the API call sequence of the virus sample to be tested. Once the first and the second API types and APT call orders are determined, the matching rate between the first and second API types and API call orders may be calculated using an algorithm including, but not limited to, a string matching algorithm. If the matching rate reaches a first set limit (e.g., 80%) for at least one of the characteristic APT call sequences of virus families, it may be determined that the matching is complete and successful.
- Furthermore, if the matching rate between the first and the second API types and API call orders does not reach the first set limit, a key API call sequence “1” that corresponds to the characteristic API call sequence “1” of the virus family may be selected from the feature library of characteristic API call sequences configured in the preprocessing stage. The key API call sequence “1” includes the key APIs that are appointed and selected from the characteristic API call sequence, which are also interpreted as the piled and marked APIs in the preprocessing stage. In an embodiment, the key API is appointed in advance and is able to influence the safe operation of the system.
- In the second matching procedure, the next step is to determine a third API type and API call order when operating the key API call sequence “1” and to calculate the matching rate between the second and third API types and APT call orders. If the matching rate between the second and third API types and API call orders reaches a second set limit, it may be determined that the matching is complete and successful. The API call sequence of the virus sample to be tested may also be matched with the key API call sequences or one or more of the characteristic API call sequences of the virus families. Alternatively, the matching result may be presented to a client or a user that sent the virus sample. Based on a feedback from the client or the user, it may be determined whether the matching is complete and successful.
- An operation to record the key API call sequences of each one of the virus families in addition to the characteristic API call sequences of each one of the virus families recorded in the feature library of API sequences exists. Even if the API call sequence of the virus sample to be tested recorded during the operating of the virus sample to be tested does not match to a certain extent any one of the characteristic API call sequences of the any one of the virus families on the record, it may not be concluded that there is no possibility that the virus sample is not a virus variant. In fact, it indicates the possibility that the virus sample is a new type of virus variant. This is possible because there is great variation in the API type and API call order of this virus sample compared to the characteristic API call sequences of the virus families, causing the API call sequence of the virus sample to not match to a certain extent any of the characteristic API call sequences of the existing virus families.
- In order to avoid non-detection of a virus variant, at the point where there is not a match to a certain extent between the API call sequence of the virus sample and any of the characteristic API call sequences of the virus families on record, a supplemental matching may be performed. In the supplemental matching, matching between the API call sequence of the virus sample and the key API call sequences of each one of the virus families is accomplished. This supplemental matching may also be referred as approximate string matching or fuzzy string searching. In this supplemental matching, if there is a certain key API called during the executing or running of the API call sequence of the virus sample and the call order of this key API is similar to a characteristic API call sequence of one of the virus families, or the matching rate between the API call sequence of the virus sample and the characteristic API call sequence of one of the virus families reaches a limit, it may be determined that the matching is complete and successful and that the virus sample may be considered as a new type of virus variant. A more accurate result may be obtained by returning the virus sample to the sender (e.g., administrator) with a notice that it is possible that the virus sample is a new type of virus variant and that a confirmation is requested. When a feedback from the administrator is received, whether or not the virus sample is a new type of virus variant may be recorded in accordance with the instructions from the administrator.
- In Step 150, it is determined whether the matching between the API call sequence of the virus sample and the characteristic API call sequences of the virus families is complete and successful. In
Step 160, it is determined that the matching is complete and successful. Continuing, inStep 170, the virus sample to be tested may be determined to be a virus variant depending on the extent of a match between the API call sequence of the virus sample and at least one of the plurality of characteristic API call sequences of the virus families. - When the virus sample is determined to be a virus variant, the API call sequence of this virus sample (or new virus variant) may be recorded and included in the feature library of characteristic API call sequences. Also, a key API call sequence for the virus sample (or new virus variant) is also selected from the API call sequence of this virus sample (or new virus variant) to be recorded in the feature library of characteristic API call sequences. In this way, the feature library of characteristic API sequences keeps updating according to the matching results of the continuous matching processes to ensure that its data is up to date and effective.
-
FIG. 2 illustrates anapparatus 2000 for identifying virus variants in accordance with an embodiment. Theapparatus 2000 includes anexecution unit 20, amatching unit 21 coupled to theexecution unit 20, and a recognition unit 22 coupled to thematching unit 21. In an embodiment, theexecution unit 20, the matchingunit 21, and the recognition unit 22 are implemented in a computer (e.g., 3000FIG. 3 ) including a memory that is accessible by a processor and/or a GPU (graphics processor unit). In an embodiment, theexecution unit 20, the matchingunit 21, and the recognition unit 22 are computer-executable instructions stored in the memory of a computer (e.g., 3000FIG. 3 ), where the computer-executable instructions are executed by a processor and/or a GPU. Theexecution unit 20 runs a virus sample to be tested and records an API call sequence produced during the running of the virus sample. Further, the matchingunit 21 obtains a characteristic API call sequence of each one of the virus families and matches the API call sequence produced by the virus sample during running with each one of the characteristic API call sequences of each one of the virus families to obtain a matching result. The plurality of characteristic API call sequences that respectively correspond to the plurality of virus families are obtained, where each characteristic API call sequence represents the behavior that characterizes the corresponding virus family. The recognition unit 22 determines, based on the analysis of the matching result, whether the virus sample to be tested is virus variant by extent of a match between the API call sequence of the virus sample to be tested and any one of the characteristic API call sequences of any one of the virus families. - The
execution unit 20 may further run a set of virus samples of the virus families and record API types and API call orders called during the running of the set of virus samples to generate the characteristic API call sequences for each one of the virus families in order to establish a feature library of characteristic API call sequences. Theexecution unit 20 may also simulate a physical triggering event that activates the running of a virus according to a set interval during the process of fuming the virus sample to be tested and the running of the set of virus samples. - When it is determined that there is a match to a certain extent between the API call sequence of the virus sample to be tested and any of the characteristic API call sequences of any of the virus families based on the matching result, the matching
unit 21 may further determine a first API type and API call order called when running any of the characteristic API call sequences of any of the virus families. Also, the matchingunit 21 may further determine a second API type and API call order called for the sample virus based on the API call sequence. Then, the matching rate between the first and the second API types and API call orders may be calculated by the matchingunit 21. - The recognition unit 22 may further determine whether the API call sequence of the virus sample to be tested matches any of the characteristic API call sequences of any of the virus families by the matching rate meeting a first set limit.
- The matching
unit 21 may further obtain a key API call sequence of any of the virus families and determine a third API type and API call order called based on the key API call sequence during running of the virus family when a notice is received from the recognition unit 22 carrying a message indicating that the matching rate of the first and second API types and API call orders does not meet the first set limit. The key API call sequence includes the appointed key API selected from the characteristic API call sequences of any of the virus families. In an embodiment, the key API is preset and is able to influence the safe operation of the system. Then, a second matching rate between the second and third API types and API call orders may be calculated by the matchingunit 21. - The recognition unit 22 may further determine whether the API call sequence of the virus sample matches the key API call sequence by determining whether the second matching rate meets a second set limit. The matching is between the second and the third API types and API call orders. Also, the recognition unit 22 may present the matching result to a client or a user that sent the virus sample and may determine whether the API call sequence of the virus sample matches the key API call sequence based on a feedback from the client or the user (or the sender). The calculation may be conducted using a string matching algorithm in an embodiment.
-
FIG. 3 shows acomputer system 3000 in accordance with one embodiment of the present disclosure.Computer system 3000 depicts the components of a basic computer system in accordance with embodiments of the present disclosure providing the execution platform for certain hardware-based and software-based functionality. In general,computer system 3000 comprises at least oneCPU 101, asystem memory 115, and at least one graphics processor unit (GPI)) 180. TheCPU 101 can be coupled to thesystem memory 115 via a bridge component/memory controller (not shown) or can be directly coupled to thesystem memory 115 via a memory controller (not shown) internal to theCPU 101. TheGPU 180 is coupled to adisplay 112. One or more additional GPUs can optionally be coupled tosystem 3000 to further increase its computational power. The GPU(s) 180 is coupled to theCPU 101 and thesystem memory 115.System 3000 can be implemented as, for example, a desktop computer system or server computer system, having a powerful general-purpose CPU 101 coupled to a dedicatedgraphics rendering GPU 180. In such an embodiment, components can be included that add peripheral buses, specialized graphics memory, IO devices, and the like. Similarly,system 3000 can be implemented as a handheld device (e.g., cellphone, etc.) or a set-top video game console device. - It should be appreciated that the
GPU 180 can be implemented as a discrete component, a discrete graphics card designed to couple to thecomputer system 3000 via a connector (e.g., AGP slot, PCI-Express slot, etc.), a discrete integrated circuit die (e.g., mounted directly on a motherboard), or as an integrated GPU included within the integrated circuit die of a computer system chipset component (not shown). Additionally, a local graphics memory 114 can be included for theGPU 180 for high bandwidth graphics data storage. - In the embodiments discussed above, the call states of the characteristic API call sequences of the virus families are set as references to monitor the call states of the API call sequences produced during running of virus sample to be tested. Regardless of whether the identification of the virus sample is covered by certain techniques or not, as long as the call state of the API call sequence produced during running of the virus sample matches to an extent the call state of any of the characteristic API call sequences of any of the virus families, the virus sample may be or possibly be considered to be a virus variant in the virus family corresponding with that characteristic API call sequence to which it matches to an extent. Thus, the detection of a virus variant is more accurate. By using a dynamic detecting mechanism, the applicable range of the identification and detection techniques is expanded and the recall ratio is improved. The detectable viruses include, but are not limited to, malwares, worms, Trojans, or botnets. The applicable scope of the present disclosure includes, but is not limited to, virus variants techniques such as modifying condition codes, etc.
- Those skilled in the art should appreciate that the present disclosure may be provided in the forms of methods, systems, or computer program products. Therefore, the present disclosure may be embodied as an entirely hardware embodiment, entirely software embodiment, or a combination of a hardware and software embodiment. Moreover, the present disclosure may be used in the forms of computer programmable products that adopt one or multiple computer usable storage mediums including, but no limited to, magnetic storage disks, CD-ROMs, or optical storage containing computer usable program codes.
- The present disclosure is presented based on flow diagrams and/or block diagrams of methods, devices or systems, and computer program products of the embodiments of the present disclosure. It should be understood that each one of the steps and/or blocks in the flow diagrams and/or block diagrams as well as the combinations between each one of the steps/blocks in the flow and/or block diagrams may be embodied by computer program instructions. The computer program instructions may be provided for by general purpose computers, dedicated computers, embedded matching units, or other matching units of programmable data processing devices to generate a device that embodies, by computers or matching units of other programmable data processing devices executing instructions, appointed functions in one or multiple steps in the flow diagrams and/or one or multiple blocks in the block diagrams.
- These computer instructions may also be stored in computer readable storage mediums that guide computers or other matching units of programmable data processing devices and work in a specified manner to have the instructions that are stored in the computer readable storage mediums produce results. The devices implement functions it one or multiple steps in the flow diagrams and/or one or multiple blocks in the block diagrams.
- These computer program instructions may also be loaded to computers or other programmable data processing devices to produce computer embodied processing by executing a series of operations on computers or other programmable data processing devices to provide, on computers or other programmable data processing devices, steps to embody appointed functions that can be embodied in one or multiple steps in the flow diagrams and/or one or multiple blocks in the block diagrams.
- It is also necessary to point out that, in the claims and specification of the present disclosure, terms such as “first” and “second” only are for distinguishing an embodiment or an operation from another embodiment or operation. It does not require or imply that those embodiments or operations have any such real relationship or order. Further, as used herein, the terms “comprising,” “including,” or any other variation is intended to cover a non-exclusive inclusion such that a process, method, article, or device that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or device. Absent further limitation, elements recited by the phrase “comprising a” do not exclude a process, method, article, or device that comprises such elements from including other same elements.
- Although certain embodiments and methods have been disclosed herein, it will be apparent from the foregoing disclosure to those skilled in the art that variations and modifications of such embodiments and methods may be made without departing from the spirit and scope of the disclosure. It is intended that the disclosure shall be limited only to the extent required by the appended claims and the rules and principles of applicable law.
Claims (20)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/US2016/016741 WO2016127037A1 (en) | 2015-02-06 | 2016-02-05 | Method and device for identifying computer virus variants |
US16/588,398 US11126717B2 (en) | 2015-02-06 | 2019-09-30 | Techniques for identifying computer virus variant |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510065074.8 | 2015-02-06 | ||
CN201510065074 | 2015-02-06 | ||
CN201510065074.8A CN105989283B (en) | 2015-02-06 | 2015-02-06 | A kind of method and device identifying virus mutation |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/588,398 Continuation US11126717B2 (en) | 2015-02-06 | 2019-09-30 | Techniques for identifying computer virus variant |
Publications (2)
Publication Number | Publication Date |
---|---|
US20160232351A1 true US20160232351A1 (en) | 2016-08-11 |
US10460106B2 US10460106B2 (en) | 2019-10-29 |
Family
ID=56566017
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/016,048 Expired - Fee Related US10460106B2 (en) | 2015-02-06 | 2016-02-04 | Method and device for identifying computer virus variants |
US16/588,398 Active 2036-02-28 US11126717B2 (en) | 2015-02-06 | 2019-09-30 | Techniques for identifying computer virus variant |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/588,398 Active 2036-02-28 US11126717B2 (en) | 2015-02-06 | 2019-09-30 | Techniques for identifying computer virus variant |
Country Status (3)
Country | Link |
---|---|
US (2) | US10460106B2 (en) |
CN (1) | CN105989283B (en) |
TW (1) | TW201629832A (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107220546A (en) * | 2017-06-27 | 2017-09-29 | 广东欧珀移动通信有限公司 | Using operation method, device and terminal device |
CN109214178A (en) * | 2017-06-30 | 2019-01-15 | 中国电信股份有限公司 | APP application malicious act detection method and device |
CN109241742A (en) * | 2018-10-23 | 2019-01-18 | 北斗智谷(北京)安全技术有限公司 | A kind of recognition methods of rogue program and electronic equipment |
US10192053B2 (en) * | 2014-12-19 | 2019-01-29 | Baidu Online Network Technology (Beijing) Co., Ltd. | Method, apparatus, system, device and computer storage medium for treating virus |
WO2019156718A1 (en) * | 2018-02-06 | 2019-08-15 | Didi Research America, Llc | System and method for program security protection |
US11270016B2 (en) | 2018-09-12 | 2022-03-08 | British Telecommunications Public Limited Company | Ransomware encryption algorithm determination |
US11449612B2 (en) | 2018-09-12 | 2022-09-20 | British Telecommunications Public Limited Company | Ransomware remediation |
US11481498B2 (en) * | 2019-01-28 | 2022-10-25 | Visa International Service Association | Continuous vulnerability management for modern applications |
US11677757B2 (en) | 2017-03-28 | 2023-06-13 | British Telecommunications Public Limited Company | Initialization vector identification for encrypted malware traffic detection |
US12008102B2 (en) | 2018-09-12 | 2024-06-11 | British Telecommunications Public Limited Company | Encryption key seed determination |
Families Citing this family (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105989283B (en) | 2015-02-06 | 2019-08-09 | 阿里巴巴集团控股有限公司 | A kind of method and device identifying virus mutation |
JP2018109910A (en) * | 2017-01-05 | 2018-07-12 | 富士通株式会社 | Similarity determination program, similarity determination method, and information processing apparatus |
JP6866645B2 (en) | 2017-01-05 | 2021-04-28 | 富士通株式会社 | Similarity determination program, similarity determination method and information processing device |
CN107682314A (en) * | 2017-08-30 | 2018-02-09 | 北京明朝万达科技股份有限公司 | A kind of detection method and device of APT attacks |
CN109472134B (en) * | 2017-12-25 | 2022-04-19 | 北京安天网络安全技术有限公司 | Method and system for extracting control terminal based on API (application program interface) calling sequence |
CN108804922A (en) * | 2018-05-30 | 2018-11-13 | 郑州云海信息技术有限公司 | A kind of determined property method of unknown code |
CN110210219B (en) * | 2018-05-30 | 2023-04-18 | 腾讯科技(深圳)有限公司 | Virus file identification method, device, equipment and storage medium |
CN110944332B (en) * | 2018-09-21 | 2023-05-02 | 武汉安天信息技术有限责任公司 | Short message interception horse detection method and device |
CN109492391B (en) * | 2018-11-05 | 2023-02-28 | 腾讯科技(深圳)有限公司 | Application program defense method and device and readable medium |
CN110399720B (en) * | 2018-12-14 | 2022-12-16 | 腾讯科技(深圳)有限公司 | File detection method and related device |
CN110414228B (en) * | 2018-12-20 | 2023-01-03 | 腾讯科技(深圳)有限公司 | Computer virus detection method and device, storage medium and computer equipment |
CN109815700B (en) * | 2018-12-29 | 2021-10-01 | 360企业安全技术(珠海)有限公司 | Application program processing method and device, storage medium and computer equipment |
US10929276B2 (en) * | 2019-06-14 | 2021-02-23 | Paypal, Inc. | Simulation computing services for testing application functionalities |
CN112580041B (en) * | 2019-09-30 | 2023-07-07 | 奇安信安全技术(珠海)有限公司 | Malicious program detection method and device, storage medium and computer equipment |
CN112580043B (en) * | 2019-09-30 | 2023-08-01 | 奇安信安全技术(珠海)有限公司 | Virtual machine-based disinfection method and device, storage medium and computer equipment |
CN112580042B (en) * | 2019-09-30 | 2024-02-02 | 奇安信安全技术(珠海)有限公司 | Method and device for combating malicious programs, storage medium and computer equipment |
DE202020106660U1 (en) | 2020-11-19 | 2020-12-04 | Dominik Heinzelmann | Lifting aid |
CN114969734B (en) * | 2022-05-16 | 2024-05-14 | 北京航空航天大学 | Lesovirus variant detection method based on API call sequence |
CN117540385B (en) * | 2024-01-09 | 2024-03-29 | 北京数基信息有限公司 | Script file monitoring method, system and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100115620A1 (en) * | 2008-10-30 | 2010-05-06 | Secure Computing Corporation | Structural recognition of malicious code patterns |
US8555385B1 (en) * | 2011-03-14 | 2013-10-08 | Symantec Corporation | Techniques for behavior based malware analysis |
US9165142B1 (en) * | 2013-01-30 | 2015-10-20 | Palo Alto Networks, Inc. | Malware family identification using profile signatures |
Family Cites Families (35)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2501771B2 (en) | 1993-01-19 | 1996-05-29 | インターナショナル・ビジネス・マシーンズ・コーポレイション | Method and apparatus for obtaining multiple valid signatures of an unwanted software entity |
US5440723A (en) | 1993-01-19 | 1995-08-08 | International Business Machines Corporation | Automatic immune system for computers and computer networks |
US6479055B1 (en) | 1993-06-07 | 2002-11-12 | Trimeris, Inc. | Methods for inhibition of membrane fusion-associated events, including respiratory syncytial virus transmission |
US6017536A (en) | 1993-06-07 | 2000-01-25 | Trimeris, Inc. | Simian immunodeficiency virus peptides with antifusogenic and antiviral activities |
US5684875A (en) | 1994-10-21 | 1997-11-04 | Ellenberger; Hans | Method and apparatus for detecting a computer virus on a computer |
US6067618A (en) | 1998-03-26 | 2000-05-23 | Innova Patent Trust | Multiple operating system and disparate user mass storage resource separation for a computer system |
US6347375B1 (en) | 1998-07-08 | 2002-02-12 | Ontrack Data International, Inc | Apparatus and method for remote virus diagnosis and repair |
US6356937B1 (en) | 1999-07-06 | 2002-03-12 | David Montville | Interoperable full-featured web-based and client-side e-mail system |
US6792543B2 (en) | 2001-08-01 | 2004-09-14 | Networks Associates Technology, Inc. | Virus scanning on thin client devices using programmable assembly language |
US7356736B2 (en) | 2001-09-25 | 2008-04-08 | Norman Asa | Simulated computer system for monitoring of software performance |
US7266844B2 (en) | 2001-09-27 | 2007-09-04 | Mcafee, Inc. | Heuristic detection of polymorphic computer viruses based on redundancy in viral code |
US7478431B1 (en) | 2002-08-02 | 2009-01-13 | Symantec Corporation | Heuristic detection of computer viruses |
WO2004104825A1 (en) | 2003-05-15 | 2004-12-02 | Applianz Technologies, Inc. | Systems and methods of creating and accessing software simulated computers |
US7284273B1 (en) | 2003-05-29 | 2007-10-16 | Symantec Corporation | Fuzzy scanning system and method |
US7360253B2 (en) | 2004-12-23 | 2008-04-15 | Microsoft Corporation | System and method to lock TPM always ‘on’ using a monitor |
US20070083930A1 (en) | 2005-10-11 | 2007-04-12 | Jim Dumont | Method, telecommunications node, and computer data signal message for optimizing virus scanning |
US7822782B2 (en) | 2006-09-21 | 2010-10-26 | The University Of Houston System | Application package to automatically identify some single stranded RNA viruses from characteristic residues of capsid protein or nucleotide sequences |
US20110047618A1 (en) | 2006-10-18 | 2011-02-24 | University Of Virginia Patent Foundation | Method, System, and Computer Program Product for Malware Detection, Analysis, and Response |
US8250655B1 (en) | 2007-01-12 | 2012-08-21 | Kaspersky Lab, Zao | Rapid heuristic method and system for recognition of similarity between malware variants |
CN101632083A (en) | 2007-05-09 | 2010-01-20 | 国际商业机器公司 | A method and data processing system to prevent manipulation of computer systems |
US20090313700A1 (en) * | 2008-06-11 | 2009-12-17 | Jefferson Horne | Method and system for generating malware definitions using a comparison of normalized assembly code |
US9781148B2 (en) * | 2008-10-21 | 2017-10-03 | Lookout, Inc. | Methods and systems for sharing risk responses between collections of mobile communications devices |
US20100154062A1 (en) | 2008-12-16 | 2010-06-17 | Elad Baram | Virus Scanning Executed Within a Storage Device to Reduce Demand on Host Resources |
US8424091B1 (en) * | 2010-01-12 | 2013-04-16 | Trend Micro Incorporated | Automatic local detection of computer security threats |
US20120124007A1 (en) | 2010-11-16 | 2012-05-17 | F-Secure Corporation | Disinfection of a file system |
US20120173155A1 (en) | 2010-12-30 | 2012-07-05 | St. Louis University | Network threading approach for predicting a patient's response to hepatitis c virus therapy |
CN102622536B (en) * | 2011-01-26 | 2014-09-03 | 中国科学院软件研究所 | Method for catching malicious codes |
CN102930206B (en) | 2011-08-09 | 2015-02-25 | 腾讯科技(深圳)有限公司 | Cluster partitioning processing method and cluster partitioning processing device for virus files |
CN102930210B (en) | 2012-10-14 | 2015-11-25 | 江苏金陵科技集团有限公司 | Rogue program behavior automated analysis, detection and classification system and method |
US9202053B1 (en) | 2013-02-27 | 2015-12-01 | Trend Micro Inc. | MBR infection detection using emulation |
US9311480B2 (en) | 2013-03-15 | 2016-04-12 | Mcafee, Inc. | Server-assisted anti-malware client |
US9438620B2 (en) * | 2013-10-22 | 2016-09-06 | Mcafee, Inc. | Control flow graph representation and classification |
CN103839005B (en) * | 2013-11-22 | 2016-09-28 | 北京智谷睿拓技术服务有限公司 | The malware detection method of Mobile operating system and malware detection system |
US9652362B2 (en) * | 2013-12-06 | 2017-05-16 | Qualcomm Incorporated | Methods and systems of using application-specific and application-type-specific models for the efficient classification of mobile device behaviors |
CN105989283B (en) | 2015-02-06 | 2019-08-09 | 阿里巴巴集团控股有限公司 | A kind of method and device identifying virus mutation |
-
2015
- 2015-02-06 CN CN201510065074.8A patent/CN105989283B/en active Active
- 2015-09-02 TW TW104129020A patent/TW201629832A/en unknown
-
2016
- 2016-02-04 US US15/016,048 patent/US10460106B2/en not_active Expired - Fee Related
-
2019
- 2019-09-30 US US16/588,398 patent/US11126717B2/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100115620A1 (en) * | 2008-10-30 | 2010-05-06 | Secure Computing Corporation | Structural recognition of malicious code patterns |
US8555385B1 (en) * | 2011-03-14 | 2013-10-08 | Symantec Corporation | Techniques for behavior based malware analysis |
US9165142B1 (en) * | 2013-01-30 | 2015-10-20 | Palo Alto Networks, Inc. | Malware family identification using profile signatures |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10192053B2 (en) * | 2014-12-19 | 2019-01-29 | Baidu Online Network Technology (Beijing) Co., Ltd. | Method, apparatus, system, device and computer storage medium for treating virus |
US11677757B2 (en) | 2017-03-28 | 2023-06-13 | British Telecommunications Public Limited Company | Initialization vector identification for encrypted malware traffic detection |
CN107220546A (en) * | 2017-06-27 | 2017-09-29 | 广东欧珀移动通信有限公司 | Using operation method, device and terminal device |
CN109214178A (en) * | 2017-06-30 | 2019-01-15 | 中国电信股份有限公司 | APP application malicious act detection method and device |
WO2019156718A1 (en) * | 2018-02-06 | 2019-08-15 | Didi Research America, Llc | System and method for program security protection |
US10853457B2 (en) | 2018-02-06 | 2020-12-01 | Didi Research America, Llc | System and method for program security protection |
US11270016B2 (en) | 2018-09-12 | 2022-03-08 | British Telecommunications Public Limited Company | Ransomware encryption algorithm determination |
US11449612B2 (en) | 2018-09-12 | 2022-09-20 | British Telecommunications Public Limited Company | Ransomware remediation |
US12008102B2 (en) | 2018-09-12 | 2024-06-11 | British Telecommunications Public Limited Company | Encryption key seed determination |
CN109241742A (en) * | 2018-10-23 | 2019-01-18 | 北斗智谷(北京)安全技术有限公司 | A kind of recognition methods of rogue program and electronic equipment |
US11481498B2 (en) * | 2019-01-28 | 2022-10-25 | Visa International Service Association | Continuous vulnerability management for modern applications |
Also Published As
Publication number | Publication date |
---|---|
TW201629832A (en) | 2016-08-16 |
US11126717B2 (en) | 2021-09-21 |
CN105989283A (en) | 2016-10-05 |
CN105989283B (en) | 2019-08-09 |
US10460106B2 (en) | 2019-10-29 |
US20200026854A1 (en) | 2020-01-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11126717B2 (en) | Techniques for identifying computer virus variant | |
WO2020019484A1 (en) | Simulator recognition method, recognition device, and computer readable medium | |
Rathnayaka et al. | An efficient approach for advanced malware analysis using memory forensic technique | |
US8533831B2 (en) | Systems and methods for alternating malware classifiers in an attempt to frustrate brute-force malware testing | |
US9798981B2 (en) | Determining malware based on signal tokens | |
US9239922B1 (en) | Document exploit detection using baseline comparison | |
WO2020019485A1 (en) | Simulator identification method, identification device, and computer readable medium | |
US20110277033A1 (en) | Identifying Malicious Threads | |
WO2020019483A1 (en) | Emulator identification method, identification device, and computer readable medium | |
CN110929264B (en) | Vulnerability detection method and device, electronic equipment and readable storage medium | |
TW201220118A (en) | A method and a system for automatically analyzing and classifying a malicious program | |
US10607011B1 (en) | Method to detect zero-day malware applications using dynamic behaviors | |
US20240104205A1 (en) | Malware detection based on user interactions | |
CN106326737A (en) | System and method for detecting harmful files executable on a virtual stack machine | |
CN108898014B (en) | Virus checking and killing method, server and electronic equipment | |
US11809556B2 (en) | System and method for detecting a malicious file | |
CN106415577B (en) | System and method for identifying the source of a suspicious event | |
WO2019019356A1 (en) | Application program test method and apparatus, computer device and storage medium | |
CN110298173A (en) | The detection Malware hiding by the delay circulation of software program | |
WO2016127037A1 (en) | Method and device for identifying computer virus variants | |
CN109145589B (en) | Application program acquisition method and device | |
CN105447348B (en) | A kind of hidden method of display window, device and user terminal | |
US11321453B2 (en) | Method and system for detecting and classifying malware based on families | |
JP6258189B2 (en) | Specific apparatus, specific method, and specific program | |
CN111131223B (en) | Test method and device for click hijacking |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: ALGOBLU HOLDINGS LIMITED, CAYMAN ISLANDS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GUO, YUEHUA;TANG, HONGGANG;SIGNING DATES FROM 20160203 TO 20160204;REEL/FRAME:037669/0374 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
AS | Assignment |
Owner name: ALIBABA GROUP HOLDING LIMITED, CAYMAN ISLANDS Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE CORRECTIVE ASSIGNMENT TO CORRECT NAME OF ASSIGNEE PREVIOUSLY RECORDED AT REEL: 037669 FRAME: 0374. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNORS:GUO, YUEHUA;TANG, HONGGANG;SIGNING DATES FROM 20160203 TO 20160204;REEL/FRAME:050258/0414 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: BANMA ZHIXING NETWORK (HONG KONG) CO., LIMITED, HONG KONG Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ALIBABA GROUP HOLDING LIMITED;REEL/FRAME:054328/0726 Effective date: 20201028 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20231029 |